Thursday, September 22, 2011

Cisco IOS IPS (Filtering with IOS Part 10)

R2 will serve as the IPS preventing specific traffic between R1 and R3.

To begin with IOS IPS, I must download the IPS files from Cisco.com
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId=268438162
and the public crypto key used by IOS IPS http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt

Next, I will create a directory on R2 to store the IPS signature files and configurations.R2#mkdir IPSCreate directory filename [IPS]? Created dir flash:/IPSR2#dirDirectory of flash:/

Now I'll copy the contents of the key realm-cisco.pub.key.txt to R2 to configure the crypto key used by IOS IPS.R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z.R2(config)#crypto key pubkey-chain rsaR2(config-pubkey-chain)# named-key realm-cisco.pub signatureTranslating "realm-cisco.pub"

R2(config-pubkey-key)# key-stringEnter a public key as a hexidecimal number ....

Now, I'll create a rule name that will be used on an interface, point IOS IPS to the directory that will contain the IPS signature files, and enable IPS SDEE and log notifications. Note that SDEE notifications will not work unless ip http server is enabled.R2(config)#ip ips name IOSIPSR2(config)#ip ips config location flash:IPSR2(config)#ip ips notify sdeeR2(config)#ip ips notify logR2(config)#ip http server

To load the IOS IPS signature file I downloaded earlier, I created an FTP server at 192.168.1.1 and connected to it with R2's VLAN2 interface, 192.168.1.2. I'll use FTP to copy the file with the parameter "idconf". This parameter initiates the compliing process once the copy is complete.R2#copy ftp://jason:cisco@192.168.1.71/IOS-S595-CLI.pkg idconfLoading IOS-S595-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 13572723/4096 bytes]